LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: VS / kernel 2.2 porting

To: Brad Midgley <brad@xxxxxxx>
Subject: Re: VS / kernel 2.2 porting
Cc: VS List <linux-virtualserver@xxxxxxxxxxxx>
From: Wensong Zhang <wensong@xxxxxxxxxxxx>
Date: Mon, 29 Mar 1999 22:48:20 +0800
At 14:05 99-3-28 -0700, Brad Midgley wrote:
>hi everybody,
>
>i have been investigating how vs will fit with ipchains. the very simplest
>way to work with ipchains is to add a new target value, say VIRT, for
>rules to the existing values (currently ACCEPT, DENY, REJECT, MASQ, REDIR,
>and RETURN). 
>
>the existing ipchains utility could be used to set up virtual servers:
>
>1. create a user-defined chain with one rule per server and make each rule
>use the VIRT target.
>
>2. create a rule in the input chain that watches for SYN TCP packets on
>the ports of interest and directs such packets to the user-defined chain.
>

I have read some of ipchain code, I see that ipchain is used to filter
packets, the filter rules can be hooked at the 3 points (input chain,
output chain, forward chain), and the user-defined chain can flexibly
define filtering rules and can be inserted into the three built-in
chains. The masquerading code still remains as a separate part, which
is on the level with three built-in chains.

If you want to port the vs patch to kernel 2.2 as a separate part in
the routing level, it requires a lot of coding to implement hash table
of connections, timing of connection and garbage collection of those
stale connections. That will be like Rusty's netfilter framework, in
which NAT/masq/redirect/load-sharing/packet filtering are merged
together. We will definitely port the vs patch to the netfilter framework
finally.

>the existing ipchains implementation will catch setup packets and send
>them to the user-defined chain. the first rule will match and then the
>VIRT code kicks in: it will arbitrarily choose one of the servers in the
>chain, set a masq entry accordingly, and ACCEPT the packet so it passes
>past the input chain and gets demasq'd to the appropriate server.
>
>what do you think?

In this section, you want to port the vs patch to kernel 2.2 still as
a part of masqueradering code. I think it just need manually patching
the vs to kernel 2.2, it will work.

All other that we need to do with ipchain is to use ipchain utility
to specify some rules to let packets destined for virtual service pass
to the masquerading code, at least not let packets filtered out.

>
>Brad
>brad@xxxxxxx | http:/www.pht.com/~brad/
>

Good luck,

Wensong



<Prev in Thread] Current Thread [Next in Thread>